House of Commons - Home Affairs

Select Committee on Home Affairs Written Evidence

49. First supplementary memorandum submitted by the Editors of Data Protection and Privacy Practice

INTRODUCTION

We present our views to the Home Affairs Select Committee as the Editors of Data Protection and Privacy Practice, published by Masons, a leading international firm of solicitors with a strong IT practice, especially in the field of privacy, FOI and data protection. The views expressed here do not represent the views of the firm and we have no objection to these views being published.

We present our comments in a series of recommendations (summarised below) followed by a brief explanation; if further detail is needed, please contact us. We apologise for going over your recommended word length, but we raise several new points which became apparent only after text of the draft ID Card Bill was published.

Our recommendations to the Committee are summarised as follows:

1. We invite the Committee to conclude that the original focus on an ID/entitlement card scheme upon a mechanism for establishing identity has been replaced by an emphasis on the central database of registrable facts.

2. We invite the Committee to conclude that for most part, the contents of the central database of registrable facts have nothing to do with establishing identity or entitlement.

3. We invite the Committee to conclude that the central database of registrable facts is needed mainly in order to link diverse Government databases together and/or to serve the needs of the law enforcement agencies.

4. We invite the Committee to conclude that the central database of registrable facts should not contain audit trails of ID card use that can be accessed, in secret, by the security services and police in order to identify the services used by every citizen.

5. We invite the Committee to conclude the Data Protection Act will not afford much privacy protection in relation to the collection and use of registrable facts on the central database.

6. We invite the Committee to conclude that public support for the introduction of an ID Card has been obtained in the absence of an informed public debate about the nature of the central database of registrable facts.

7. We invite the Committee to conclude that the provisions in the draft ID Card Bill which grant powers to Ministers to draft wide regulations which can impact on privacy are not subject to effective scrutiny.

SUMMARY COMMENTARY IN RELATION TO EACH RECOMMENDATION

The draft ID Card Bill published in "Legislation on Identity Cards" (CM 6178) provides five statutory purposes in Clause 1(2) which are:

— Providing a record of registrable facts about individuals in the UK.

— Providing a record of registrable facts about other individuals (living or dead) who have been in the UK or who have applied to be entered in the Register.

— Facilitating the issue of cards containing information that may be used by an individual for establishing his identity, place of residence or residential status.

— Facilitating the provision of a service by means of which registrable facts about a registered individual may, with his consent, be ascertained or verified by other persons.

— Enabling information recorded in the Register for any of the preceding purposes to be disclosed to persons in cases authorised by or under this Act.

In the original "Entitlement Cards and Identity Fraud" publication (CM5557) which was subject to a detailed consultation process with the public, the purpose of the scheme was stated in the first paragraph to: "establish identity to a high degree of assurance", "to establish . . . one definitive record of identity", to "help" people "gain entitlement to products and services provided by the public and private sectors", and to "help . . . validate a person's identity and entitlement to such services. Most of the public debate focused on these aspects of the ID card.

These purposes are, however, covered in Clause 1(2) (b) and 1(2)(c) of the Draft Bill (the two purposes of "facilitating the issue of cards . . ." and "facilitating the provision of a service . . ."). This means, according to Clause 1(2) of the Bill, that there are three other statutory purposes focusing on the recording of details about individuals on a central registry database, and facilitating disclosures of material on the database to a number of public authorities.

In other words, the two statutory purposes dealing with the question of entitlement or identification, the subject matter of extensive public consultation, are now in the minority. The other three statutory purposes, which have their focus on the creation and use of a central registry database, have now emerged as the main purposes of the ID card scheme.

The focus of the ID card scheme has therefore changed because more statutory purposes have been added in respect of the database—a theme which runs through all our other recommendations to the Committee.

2. We invite the Committee to conclude that for most part, the contents of the central database of registrable facts have nothing to do with establishing identity or entitlement

There will be an obvious need for a database of some kind to support an identity/entitlement Card. But to achieve these latter two objectives, the data can be limited photograph, name, national identity number and biometric details of the individual. Such data would satisfy the purposes of identification of a citizen entitled to a public services.

As the issuing of an ID card is going to be by a secure route, it can be assumed that the possession of the card assures residence/immigration status to a degree that qualifies the individual to the entitlement to services and that a cross reference to the central database via these limited data items would validate the Card against forgery or impersonation.

The idea that a very limited amount of information is needed to confirm identity, is reinforced by the second paragraph of Schedule 1 to the draft ID Card Bill. The paragraphs under the heading "identifying information" is limited to photograph, fingerprint and biometric. The other data items are not classified as "identifying information"—the Bill makes it clear that they are needed for other things.

It follows that an ID Card does not require to be supported by a comprehensive database of personal data to achieve its identification and entitlement objectives. In fact, it is questionable whether an ID card is necessary at all for those purposes (eg if service providers who need to check entitlement can check biometrics and photographs in real time against a central database).

The additional data stipulated must be included in order to support other objectives which have nothing to do with identity or entitlement.

When you look at the items proposed for inclusion in the central registry database, it is clear that the personal data used to support the ID card are relevant to the far wider objectives. The fact that details such as every change of address detail, date of birth, place of birth, audit details which trace the use of the Card in connection with a service are being recorded on a central database indicates a number of possibilities. These include the ability to share or create linkages between personal data collections across a range of Government Departments, or possibly rationalising government databases, or permitting the police, security services, other law enforcement agencies to monitor individual use of state (and private) services.

This data-sharing agenda has not been made apparent in the public consultation, yet it is now the main element of the draft ID Card Bill.

This central database, once established, will quite clearly become hub which links to other public and private sector databases—pointing to where authorised public authorities agencies can get further information. This database therefore changes fundamentally the relationship between the individual and the state—especially as there will be "audit trails" of services used by every citizen.

This change of focus on the needs of the central registry database is reflected in the main objectives of the draft ID Card Bill which are specified in its first 25 clauses. The are seven clauses about collecting personal data for the central registry database, two clauses about maintaining the database, and six clauses about disclosures from the register—a total of 15 clauses. By contrast, there are three clauses about ID cards and five clauses about identity checks.

Yet it is these last-mentioned eight clauses which define the title of the "Identity Cards Bill", notwithstanding that in practice most of the Bill is about the central registry database. This is, to say the least, misleading—especially as even the identity card element of the Bill is politically hightly controversial. Tracking the activities of citizens will be even more so.

The data items of the database have been augmented by what is called "audit trail" information—and this also suggests that the central registry database has become the main focus of the scheme.

In "Entitlement Card and Identity Fraud", paragraph 86 (page 126) states that "it is most unlikely that entitlement information relating to specific services would be held on the central register" and such details are missing from the list of "core personal information" on the opposite page (page 127). Paragraph 3.29 of the document suggests that access to the register by the authorities could be subject to warrant arrangements. It appears that both of these limitations intended to protect privacy have now been removed—they do not appear in the Bill.

Under "access records" (paragraph 9 of Schedule 1 of the draft Bill), "particulars of every occasion on which a person has accessed an individual's entry and of the person who accessed it" can be stored. So, for instance, if an individual card-holder uses service X and the service provider checks identity, then there is very likely to be a record which links the service provider X with the card-holder. If the ID card becomes fully operational and compulsory as intended, the provisions will create an electronic trace of all services used, create pointers to sources of detailed information about the services used by the card-holder. As data are to be retained indefinitely, this data collection will detail services used for the lifetime of each ID cardholder.

Under the provisions of the Bill, the police and security services and many other public authorities will be given powers to access these personal data including the audit trail of services used. Because the disclosure is subject to a statutory provision, the exemption from the non-disclosure provisions will apply (section 35(1) of the Data Protection Act). This means that there is an exemption from most of the data protection principles in relation to the disclosure.

Finally, paragraph 9 of Schedule 1 states that access details of all those who access the database "may be held"—there is no compulsion to hold such records of all disclosures and in the case of disclosure to the security services and the police, one can see pressure for such details not to be recorded. If that is the case, then the National ID Card Commissioner might not know details of such access by the police and security services because they will not be recorded.

The Government's proposals would therefore authorise the lawful, secret and unrecorded access by the authorities to centralised details which could, over time, summarise all the public and private services used by each and every card-holder during their lifetime.

It is not an underestimate to observe that such an prospect would normally be considered to be the badge of a totalitarian state.

5. We invite the Committee to conclude the Data Protection Act will not afford much privacy protection in relation to the collection and use of registrable facts on the central database

Annex D of the Legislation on Identity Cards shows how the "ID Card Bill complies with the Data Protection Act". This gives the impression that somehow there is a great deal of privacy protection which derives from the Act. This analysis, however, shows the Government's proposals amount to the granting of an exemption from major elements of the Data Protection Act 1998 for the ID card scheme. This exemption negates most of the protection afforded by the first five data protection principles.

In relation to the First and Second Principles, the Government says that the ID card scheme would comply the "lawfulness test" as the legislation would set out the statutory purpose of the central register. These statutory purposes are set out in Clause 1 of the Bill.

The Data Protection Act cannot in these circumstances offer privacy protection, because Parliament has determined that the purpose is lawful. So for instance, if regulations were to specify that, say the British National Party, could have access to the register, then that access would be lawful—end of argument. This unlikely scenario is put forward merely to make clear what should be understood whenever the assertion is made that "the ID Card scheme complies with the Data Protection Act".

Very little by way of privacy protection should be assumed—it will all depends on the drafting of the statutory instruments which give effect to Ministerial powers. The draft ID Card Bill provides for wide ranging powers in relation to the central registry database.

The three additional statutory purposes which are now in the majority (ie the ones dealing with the content of, and disclosure from the central registry data base) are not "purposes" in the traditional data protection sense—for example, personal data being processed for the purpose of employee-employer relations or for housing benefit purpose. For instance, the statutory purpose of "providing a record of registrable facts about individuals in the UK" is not a use of data—it's a statement that data can be retained so they can be disclosed for any of the purposes associated with any body who is authorised to have access to them.

This becomes apparent when the purpose is substituted into the text of the Third Principle, for instance. This Principle states that "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed". With a "normal" purpose, such as housing benefit, the Principle makes sense "Personal data shall be adequate, relevant and not excessive in relation to the purpose of housing benefits". So an organisation performing the processing for housing benefit can be called upon to justify the relevance of a particular data item to the purpose.

By contrast, in the case of the additional three statutory purposes in clause 1(2)(a), 2(b) and 2(e) we have something like "Personal data shall be adequate, relevant and not excessive in relation to the purpose of providing a record of registrable facts about individuals in the UK". In this case, the relevance is not assessed in terms of the one organisation performing the processing for a particular purpose—it has to be assessed in the context of all organisations which might be provided with the personal data and all their processing purposes.

It is this breadth of purpose which provides one reason why most of the Data Protection Principles will not offer much in the way of privacy protection; most of the Principles afford their protection through the use of the word "purpose".

The other Data Protection Principles

Schedule 1 of the ID Card Bill specifies the information to be contained in the central register Note that this statutory route also in effect removes any protection of the Third Principle—if legislation says personal data are necessary then they are necessary. This is especially the case with statutory purposes such as "providing a record of registrable facts about individuals in the UK". Relevant data are those data which could be relevant to any of the purposes of public authorities who are authorised to have access to the personal data—as can be seen, this is very broad.

The Government also make it clear in the final Annex of the consultation document that registry information will be retained indefinitely; this step, in effect, will negate the Fifth Principle which prohibits retention of personal data that are no longer needed.

To satisfy the Fourth Principle, the Bill obliges card-holders by law to provide information when they apply for a card and to notify changes of address. The usual application of the Fourth Principle arises when individuals want organisations to correct or update personal records which relate to them. If such organisations do not correct or update their records, then individuals can use the protection afforded by this Principle to oblige amendments. The application of this Principle is balanced by allowing an organisation to show just cause as to why it should not correct or update personal data which are subject to a dispute over accuracy.

The ID card scheme perverts this Principle. Accuracy is maintained, not by the organisation taking all reasonable steps to maintain accuracy, but by placing obligations on individuals, some backed by civil sanctions, to provide personal data about themselves. To pretend, as the Consultation Document does, that this then is a measure which protects the individual is nonsense.

In relation to the Sixth Principle, there is little to say—the right of access to the register details is emphasised, but this is just a right to access personal data which the data subject is obliged to provide by law! The fact that access might not be charged at £10, or that there might be on-line access to the Register, will count for little.

Hence our conclusion—the Data Protection Act will afford little in the way of privacy protection.

All our earlier commentary raises the question of whether the original "Entitlement Cards and Identity Fraud" consultation procedure on ID cards was properly focused in order to lead an informed public debate on the complete range of five statutory purposes as proposed in the draft ID Card Bill. In particular, did the Home Office, in its consultation process, give sufficient prominence to the fact that more purposes of the entitlement card scheme would be associated with the operation of the central registry database?

The question is important as the Home Office claims popular support for the ID Card based on its response to the consultation process. If the consultation process has given an incomplete picture of the scheme, then the claim for that support cannot be relied upon.

Consideration of Annex 1 in "Entitlement Cards and Identity Fraud" confirms that the prime focus of the consultation exercise is on the Card and its use in establishing entitlement to access services. Annex 1 lists 36 original consultation points, the vast majority of which are focused directly on the Card, or its use, or other matters related to establishing identity matters.

Very few consultation points in "Entitlement Cards and Identity Fraud" dealt directly with the data stored on the central registry database directly. Consultation point 8 (underpinning a national population register), point 32 ("Views are welcomed on what information should be held to administer a card scheme . . ."). The third subparagraph of consultation point 15 of Annex 1 dealt with wider access to the database by police and other agencies. Details of the database are tucked in an Annex to the consultation document—hardly the place for something which now requires three of the five statutory purposes.

Another way of presenting the above is that 33 consultation questions in "Entitlement Cards and Identity Fraud" are related to two statutory purposes (Clause 1(2)(b) and (c) of the draft Bill); these are further delineated in the draft ID Card Bill in eight clauses about ID cards and identity checks. This compares with the two and a third consultation questions in "Entitlement Cards and Identity Fraud" which concern the central registry database. These are related to three statutory purposes (Clauses 1(2)(a), 1(2)(d) and 1(2)(e)) and the subject matter of 15 clauses in the ID Card Bill.

Hence our conclusion that the central registry database has not been subject to proper and informed public debate. Indeed there are arguments that this important database should be the subject of a such a debate—and we hope the Committee will recommend this step.

Some final observations:

Important details which impact on privacy or the disclosure and collection of personal data for the ID card scheme should not be subject to order-making powers which are very broad and which Members of the Committee know are often subject to minimal scrutiny by Parliament. There is very little privacy protection built into the proposed ID Card scheme and the scope of these powers need to be balanced with robust scrutiny. The fact that the ID Card Commissioner can write an annual report which can be censored by the Prime Minister do not suggest as a mechanism designed to protect privacy. It is extremely worrying that these powers could be available to all future Home Secretaries, some of whom might not share the instincts of the current incumbent.

There is no justification for the decision to make the scheme compulsory by means of secondary legislation. Members of the Committee know that primary legislation can be rushed through both Houses of Parliament if there is a pressing need (eg Official Secrets Act 1911, Anti-terrorism legislation from the 1970's). Primary legislation allows Parliament to review or amend the powers now being sought by Ministers in the draft ID Card Bill.

Members of the Committee might want to remind themselves of the Local Government Finance Act 1998 which introduced the Community Charge. This legislation shares with the Draft ID Card Bill two interesting similarities:

(i) both schemes had their advocates who promise a panacea for many ills; and

(ii) both schemes are associated with implementations by means of paving Bills where most clauses require powers to Ministers to sort out the operational details.

In our view, Parliament must be able to review or scrutinise the detail. Any ID Card Scheme is not just for Christmas, it is for ever.

Dr Chris Pounder and Sue Cullen

Editors of Data Protection and Privacy Practice

May 2004



© Parliamentary copyright 2004	Prepared 30 July 2004